| Index: third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-redirect-credentials.html
|
| diff --git a/third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-redirect-credentials.html b/third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-redirect-credentials.html
|
| index 8f2530b84e7222df6f256a0c5e828dbfc5d10d0a..e3632519c157077c25d6368807bed21706d62496 100644
|
| --- a/third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-redirect-credentials.html
|
| +++ b/third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-redirect-credentials.html
|
| @@ -1,86 +1,160 @@
|
| <!DOCTYPE HTML>
|
| -<script src="/js-test-resources/js-test.js"></script>
|
| +<script src="/resources/testharness.js"></script>
|
| +<script src="/resources/testharnessreport.js"></script>
|
| +<script src="/resources/get-host-info.js?pipe=sub"></script>
|
| <script>
|
| -description("Testing the handling of CORS-enabled fetch in the presence of 'credentialled' redirects.");
|
| +if (window.testRunner)
|
| + testRunner.setBlockThirdPartyCookies(false);
|
|
|
| -// Explain the short form descriptions ('=>' representing the redirect.)
|
| -debug("PASS/FAIL descriptions are of the form, 'CORS request type': 'redirect CORS type' => 'resource'");
|
| -debug("");
|
| +const host_info = get_host_info();
|
|
|
| -var redirect_cors = "use-credentials";
|
| +document.cookie = "TestCookie=same";
|
|
|
| -window.jsTestIsAsync = true;
|
| -if (window.testRunner)
|
| - testRunner.dumpAsText();
|
| +const ANOTHER_REMOTE_ORIGIN = 'http://127.0.0.1:8080';
|
|
|
| -function finish() {
|
| - if (window.testRunner)
|
| - finishJSTest();
|
| -}
|
| +const SET_COOKIE_PATH = '/security/resources/set-cookie.php';
|
|
|
| -function fail() {
|
| - debug("FAIL: " + this.description);
|
| - runNextTest();
|
| -}
|
| +const set_cookie_promise = Promise.all([
|
| + fetch(
|
| + host_info['HTTP_REMOTE_ORIGIN'] + SET_COOKIE_PATH + '?name=TestCookie&value=cross',
|
| + {mode: 'no-cors', credentials: 'include'}),
|
| + fetch(
|
| + ANOTHER_REMOTE_ORIGIN + SET_COOKIE_PATH + '?name=TestCookie&value=cross',
|
| + {mode: 'no-cors', credentials: 'include'})
|
| +]);
|
|
|
| -function pass() {
|
| - debug("PASS: " + this.description);
|
| - runNextTest();
|
| -}
|
| +let count = 0;
|
| +
|
| +function load_image(url, crossOriginAttribute, expectLoad, expectCookie) {
|
| + return new Promise((resolve, reject) => {
|
| + set_cookie_promise.then(() => {
|
| + const img = new Image();
|
| +
|
| + img.onload = () => {
|
| + if (expectLoad) {
|
| + resolve();
|
| + } else {
|
| + reject('Image loaded unexpectedly');
|
| + }
|
| + };
|
|
|
| -var tests = [
|
| - { description: "Anonymous request: credentialled => no-CORS image resource.",
|
| - url: "http://localhost:8000/security/resources/abe.png",
|
| - // Redirect is allowed, but fails access check on the non-CORS resource.
|
| - success: false,
|
| - access: "anonymous"},
|
| - { description: "Anonymous request: credentialled => anonymous CORS image resource (same origin.)",
|
| - url: "http://localhost:8000/security/resources/abe-allow-star.php",
|
| - // Redirect is allowed, as is access to the anonymous CORS resource.
|
| - success: true,
|
| - access: "anonymous"},
|
| - { description: "Anonymous request: credentialled => anonymous CORS image resource (cross origin.)",
|
| - url: "http://localhost:8080/security/resources/abe-allow-star.php",
|
| - // Redirect is allowed, as is access (with origin 'null') to the CORS resource.
|
| - success: true,
|
| - access: "anonymous"},
|
| - { description: "Credentialled request: credentialled => credentialled-CORS image resource (same origin.)",
|
| - url: "http://localhost:8000/security/resources/abe-allow-credentials.php",
|
| - // Redirect is allowed, as is access (with original origin) to the CORS resource.
|
| - success: true,
|
| - access: "use-credentials"},
|
| - { description: "Credentialled request: credentialled => credentialled-CORS image resource (cross origin.)",
|
| - url: "http://127.0.0.1:8080/security/resources/abe-allow-credentials.php",
|
| - // Redirect is allowed, source origin mutates to 'null', so credentialled resource not accessible.
|
| - success: false,
|
| - access: "use-credentials"},
|
| - { description: "Credentialled request: credentialled => anonymous-CORS image resource (same origin.)",
|
| - url: "http://localhost:8000/security/resources/abe-allow-star.php",
|
| - // Redirect is allowed, but anonymous resource with * as allowed origins is not accessible.
|
| - success: false,
|
| - access: "use-credentials"},
|
| - { description: "Credentialled request: credentialled => anonymous-CORS image resource (cross origin.)",
|
| - url: "http://127.0.0.1:8000/security/resources/abe-allow-star.php",
|
| - // Redirect is allowed, source origin mutates to 'null', so anonymous resource with * as allowed origins is not accessible.
|
| - success: false,
|
| - access: "use-credentials"},
|
| - ];
|
| -
|
| -function runNextTest() {
|
| - if (!tests.length) {
|
| - finish();
|
| - return;
|
| - }
|
| - var test = tests.shift();
|
| - var img = new Image();
|
| - img.onload = test.success ? pass : fail;
|
| - img.onerror = test.success ? fail : pass;
|
| - img.crossOrigin = test.access;
|
| - img.description = test.description;
|
| - var args = [ "mode=" + redirect_cors,
|
| - "url=" + test.url];
|
| - img.src = "http://localhost:8000/security/resources/cors-redirect.php?" + args.join("&");
|
| - document.body.appendChild(img);
|
| + img.onerror = () => {
|
| + if (expectLoad) {
|
| + reject('Image not loaded unexpectedly');
|
| + } else {
|
| + resolve();
|
| + }
|
| + };
|
| +
|
| + img.crossOrigin = crossOriginAttribute;
|
| +
|
| + const destination_params = new URLSearchParams();
|
| + destination_params.append('count', count);
|
| + ++count;
|
| + if (expectCookie) {
|
| + destination_params.append('Cookie', expectCookie);
|
| + }
|
| +
|
| + const params = new URLSearchParams();
|
| + params.append('mode', 'use-credentials');
|
| + params.append('url', url + '?' + destination_params.toString());
|
| +
|
| + img.src = host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/cors-redirect.php?' + params.toString();
|
| +
|
| + document.body.appendChild(img);
|
| + });
|
| + });
|
| }
|
| -window.onload = runNextTest;
|
| +
|
| +promise_test(() => {
|
| + return load_image(
|
| + host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe.png',
|
| + 'anonymous',
|
| + false,
|
| + undefined);
|
| +}, 'From a remote origin to the same remote origin. crossOrigin set to anonymous. Response includes no CORS header. Fails due to CORS check.');
|
| +
|
| +promise_test(() => {
|
| + return load_image(
|
| + host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe.png',
|
| + 'use-credentials',
|
| + false,
|
| + undefined);
|
| +}, 'From a remote origin to the same remote origin. crossOrigin set to use-credentials. Response includes no CORS header. Fails due to CORS check.');
|
| +
|
| +promise_test(() => {
|
| + return load_image(
|
| + host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe-allow-star.php',
|
| + 'anonymous',
|
| + true,
|
| + 'NotSet');
|
| +}, 'From a remote origin to the same remote origin. crossOrigin set to anonymous. Response includes wildcard Access-Control-Allow-Origin.');
|
| +
|
| +promise_test(() => {
|
| + return load_image(
|
| + host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe-allow-star.php',
|
| + 'use-credentials',
|
| + false,
|
| + undefined);
|
| +}, 'From a remote origin to the same remote origin. crossOrigin set to use-credentials. Response includes wildcard Access-Control-Allow-Origin. Fails due to absence of Access-Control-Allow-Credentials.');
|
| +
|
| +promise_test(() => {
|
| + return load_image(
|
| + host_info['HTTP_REMOTE_ORIGIN'] + '/security/resources/abe-allow-credentials.php',
|
| + 'use-credentials',
|
| + true,
|
| + 'cross');
|
| +}, 'From a remote origin to the same remote origin. crossOrigin set to use-credentials. Response includes Access-Control-Allow-Credentials.');
|
| +
|
| +// Origin is set to null on remote to another remote redirect.
|
| +
|
| +promise_test(() => {
|
| + return load_image(
|
| + ANOTHER_REMOTE_ORIGIN + '/security/resources/abe-allow-star.php',
|
| + 'anonymous',
|
| + true,
|
| + 'NotSet');
|
| +}, 'From a remote origin to another remote origin. crossOrigin set to anonymous. Response includes wildcard Access-Control-Allow-Origin.');
|
| +
|
| +promise_test(() => {
|
| + return load_image(
|
| + ANOTHER_REMOTE_ORIGIN + '/security/resources/abe-allow-star.php',
|
| + 'use-credentials',
|
| + false,
|
| + undefined);
|
| +}, 'From a remote origin to another remote origin. crossOrigin set to use-credentials. Response includes wildcard Access-Control-Allow-Origin. Fails due to absence of Access-Control-Allow-Credentials.');
|
| +
|
| +promise_test(() => {
|
| + return load_image(
|
| + ANOTHER_REMOTE_ORIGIN + '/security/resources/abe-allow-credentials.php',
|
| + 'use-credentials',
|
| + false,
|
| + undefined);
|
| +}, 'From a remote origin to another remote origin. crossOrigin set to use-credentials. Response includes Access-Control-Allow-Credentials. Fails due to allowed origin mismatch.');
|
| +
|
| +// Origin is set to null on remote to another redirect even if the destination is the same origin as this document.
|
| +
|
| +promise_test(() => {
|
| + return load_image(
|
| + host_info['HTTP_ORIGIN'] + '/security/resources/abe-allow-star.php',
|
| + 'anonymous',
|
| + true,
|
| + 'NotSet');
|
| +}, 'From a remote origin to the origin of this document. crossOrigin set to anonymous. Response includes wildcard Access-Control-Allow-Origin.');
|
| +
|
| +promise_test(() => {
|
| + return load_image(
|
| + host_info['HTTP_ORIGIN'] + '/security/resources/abe-allow-star.php',
|
| + 'use-credentials',
|
| + false,
|
| + undefined);
|
| +}, 'From a remote origin to the origin of this document. crossOrigin set to use-credentials. Response includes wildcard Access-Control-Allow-Origin. Fails due to absence of Access-Control-Allow-Credentials.');
|
| +
|
| +promise_test(() => {
|
| + return load_image(
|
| + host_info['HTTP_ORIGIN'] + '/security/resources/abe-allow-credentials.php',
|
| + 'use-credentials',
|
| + false,
|
| + undefined);
|
| +}, 'From a remote origin to the origin of this document. crossOrigin set to use-credentials. Response includes Access-Control-Allow-Credentials. Fails due to allowed origin mismatch.');
|
| </script>
|
|
|
Chromium Code Reviews
Issue 2333153002:
Increase coverage for img element's crossOrigin attribute's behavior on redirect (Closed)
